On Sun, 30 Jul 2006, Mark Wolk wrote:
Thanks for the explanations. I am no expert, just a regular user who
cares about customer service. My understanding was that SPF had been
created to prevent spoofing. I had worked hard to implement SPF on my
domains. Now, if you are telling me that spoofing is still possible
and it may be normal that spoofed messages arrive with SPF_PASS, I am
all confused. I no longer understand what is the point of SPF???
It prevents spoofing of MAILFROM and HELO. There are dozens of other
identities in a mail message that could be spoofed as well. When
you say "prevents spoofing", you have to specify spoofing of what?
Did you read the http://new.openspf.org/SPF_vs_Sender_ID page ?
How about http://new.openspf.org/Related_Solutions ?
Perhaps there needs to be an end user page. In general, it is not
possible to prevent spoofing of everything that could be spoofed.
SPF protects the SMTP envelope headers MAILFROM and HELO. That is like the
postmark and return address on a snail mail envelope.
The DKIM system will eventually protect every header field. But,
I could still spoof the inside of the message, pretending to be
your Aunt Rachel, even though I have only hijacked her PC or borrowed
her laptop while she was deep in a book at the library.
If you have SPF for the SMTP envelope, plus S/MIME for the header fields and
contents, and your S/MIME private key has biometric password protection, you
can get pretty close.
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
please go to